The Long Awaited Arrival of PSD2: a Summary of Some of the Key Provisions and Issues

Expanding reach - from leg out to negative scope

Through its Proposal for a Directive of the European Parliament and of the Council on payment services in the internal market and amending Directives 2002/65/EC, 2013/36/
and 2009/110/EC and repealing Directive 2007/64/EC (
) the European Commission (the Commission) has sought to expand the regulatory reach of the existing Payment Services Directive (PSD), by using various tools. Firstly, the Commission has amended the scope of the so called ‘leg-out’ transactions by ensuring that the Title III transparency and information requirements for consumer payments and the Article 78 value date and availability of funds requirements extend to transactions with third countries where only one payment service provider (
) is in a European Union (
) Member State. The impact of these provisions will vary between Member States, depending on their transposition of the relevant PSD provisions. Secondly, the Commission has clarified that Title III will now apply to payments made in any currency. The Commission has also amended the negative scope provisions by clarifying - or rather narrowing - their scope. Specifically, the automated teller machine (ATM) exemption of Article 3(o) has been removed, while the limited network and the mobile device content exemptions have been amended. These are now restricted to being used in respect of genuinely small networks (and only upon recognition of such network from the competent authorities) and in respect of ancillary services with a cap per transaction (respectively). Accordingly,
should consider their current arrangements and ensure that they have not been affected by these changes in scope. Opt-out and operational clauses contained in customer documentation may also have to be revisited.

Protecting payment service users?

Having come closer to achieving a single market for payment services, the Commission is now looking at using payments legislation as a consumer protection tool. Accordingly,
are no longer able to charge payers for making the appropriate notification in the event of loss/misappropriation of the relevant instrument.
therefore will need to revisit their policies in this respect and adapt them accordingly.

are also under an obligation to restore a debited payment account to its pre-unauthorised transaction state by no later than the date when the account was debited and a new unconditional right of refund has been introduced in respect of direct debits, except where the payee has already fulfilled its contractual obligations and the services/goods have already been received/consumed by the payer. This unconditional refund right is interesting as it is conditional on facts that are outside of the inter-bank relationship, as well as the payee/creditor bank relationship, and could potentially result in
having to get involved in disagreements over whether payers have actually consumed or received the relevant goods or services, which may not be easily verifiable and provable in all cases. Moreover, the application of this concept to direct debit transactions is not feasible, as such payments operate on different premises to other types of payment. The amendments effectively turn a contractually agreed (optional) right into an absolute right and purport to bring the PSD regime in line with the
's
Direct Debit Core Rulebook.

Here come the third party payment service providers

Arguably, the most significant amendment introduced by
has been the ‘creation’ of a new type of regulated entity, the third party payment service provider (
). This change is aimed at promoting innovation and low cost electronic payment solutions while ensuring that security and data protection are not compromised.
offer services based on access to payment accounts provided by a
in the form of payment initiation services and/or account information services and will be subject to all
provisions applicable to payment institutions.1 The definition of a
carves out of its scope account service providers (ASPSP), namely
who provide and maintain payment accounts for a payer.
offers a (slightly confused) explanation as to what the account information service includes. ‘Account information services’ are a service whereby consolidated and user-friendly information is provided to a
on one or more payment accounts held by it in one or more
. Conversely, ‘payment initiation services’ are payment services that enable access to a payment account provided by a
. The payer can be actively involved in the payment initiation or the
software. Moreover, under Article 59,
Member States have to ensure that payers have the right to obtain payment card services by using a third party payment instrument issuer and
are under an obligation to treat payment orders received in such a manner without discrimination, other than for objective reasons.

It would be fair to say that the introduction of
has brought a flood of changes to the payments landscape, the most prominent of which are outlined below.

• A stricter application regime - the Article 5 authorisation application procedure has become more rigorous. Specifically, additional information must now be submitted with payment institution applications, including descriptions of the procedure for security incidents and the customer complaints reporting mechanism, procedures around sensitive payment information, business continuity plans and policies on the collection of statistical data and fraud. The prominence of risk assessment and security, in line with other Commission proposals, is evident in
. One should note however that this stricter application regime does not sit well with Articles 10, 13 and 27 that effectively enable smaller
to commence offering their services without prior authorisation.

• Amended responsibilities and obligations -
makes its endorsement of
clear:
Member States should ensure that a payer has the right to use a
to obtain payment services enabling access to payment accounts.
are under an obligation to notify immediately the
of the receipt of a payment order and to provide information on the availability of funds on the payer's account (assuming that the payer has consented to such information being provided). Article 39 provides that a payer and a payee using a
should receive some information from the
such as, for example, information on charges or on the amount of the transaction. Interestingly,
does not stipulate the terms of use of payment instruments where a
is engaged by a
, but does state that the
has to include within a framework contract a secure procedure to notify the
in the event of fraud.
are expected to find comfort in the Article 40 provision whereby in the event of fraud or dispute the transaction reference and authorisation information should be made available to the ASPSP and the payer (when the
's own system is used to initiate the payment in question). The problem however is that Article 40 does not clarify who decides whether a fraud or dispute has occurred nor what exactly constitutes a 'dispute'.
may not defer payment initiation where payment orders come via a
, nor can they refuse payments initiated by a
for a payer. Another related thorny issue arising from the
amendments is that of consent.
allows the payer to give consent for a transaction (directly or indirectly) and introduces a new concept of deemed consent where the payer has authorised the
to initiate a payment transaction with an ASPSP. It has to be noted that the giving of consent in such form cannot be verified by the ASPSP which is under a legal obligation to protect the funds of the
.

• Free (access) for all – pursuant to Article 58
are given access to payment account information and are empowered to use such information. In return for such access,
have to ensure that the personalised security features of the
are not accessible to other parties, to authenticate themselves in an "unequivocal" manner towards the ASPSP and not to store sensitive payment data or personalised security features of the
. This means that for the first time
are allowed (or even encouraged) to communicate their personalised security features to a third party (the
). Admittedly, in a world of proliferating online fraud, this is an interesting development. More clarity is required on the elements of the requisite level of authentication and the procedures for achieving it. Moreover, the ASPSP has to immediately notify the
of the receipt of a payment order, providing information on the availability of funds, in cases where the ASPSP has received the payment order through the services of a
. The problem is that some of the obligations are not clear: for example, how would the ASPSP know how to notify the
if the ASPSP does not know about such
and what would happen in a case where the notification would amount to tipping off under anti-money laundering regulations? And most importantly, how (if at all) does
mitigate the risks that may arise by allowing third parties to gain access to information that is stored behind another
's secure firewall? It may be that the 'answer' to this question is that
, banks and other
will have to adhere to regulatory security standards and the Cyber-security Directive. Some commentators are sceptical as to whether this would be an effective ex ante way of preventing misuse of the right to go behind another
's firewall.

• Confused liability – with the imposition of new obligations and responsibilities and the introduction of new actors into the regulated payments services arena came an amended liability allocation regime, reflecting these changes. It is questionable whether
adequately grapples with the task at hand. Although the revised text seems to suggest that
and
can enter into contracts between them to allocate the liability in question, the actual legislative provisions are confused and it is questionable whether all issues can be addressed through such documentation. Article 63 effectively deems
liable for unauthorised or incorrectly executed transactions even where a
is involved. Although Article 64 attempts to place the burden of proof on
in certain cases, in reality the most likely scenario is that the APPSP will have to compensate the
and attempt to resolve the liability issue later. After all, Article 65 clearly states that APPSPs have an absolute duty to refund
for unauthorised transactions, even though the authorisation aspect of the payment is under the control of the
.
are also liable in respect of payment execution as long as the
can prove that the APPSP received the payment order.

It remains to be seen whether the final
will manage to address the plethora of issues that the current proposal gives rise to. In a world of growing online fraud, it is crucial that the right balance is struck between innovation, security and consumer protection.

Dermot Turing is a Partner and Maria Troullinou is an Associate in the financial regulation group at Clifford Chance in London.

1 It is however to be noted that Article 27 of
allows
Member States to waive certain authorisation requirements in respect of
whose average total amount of expected payment transactions of the preceding 12 months does not exceed EUR 1 million per month. This could effectively lead to many
remaining unauthorised.

Your reactions

If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.

In this article

As the payments industry was preparing for the summer holidays, the European Commission (the Commission) released its much anticipated Proposal for a Directive of the European Parliament and of the Council on payment services in the internal market and amending Directives 2002/65/EC, 2013/36/
and 2009/110/EC and repealing Directive 2007/64/EC (
).
builds on various European initiatives since the publication of the Commission's Green Paper on Card, Internet and Mobile Payments (COM (2011) 941) in January 2012 and is an attempt by the Commission to update Directive 2007/65/EC of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market (Payment Services Directive – PSD) to reflect new developments in the payments market, as payment service providers (and other providers) adapt their business models in line with new technology. In this article, Dermot Turing and Maria Troullinou look at the key areas that
has covered and consider the impact of the proposed changes for the payments market.

Key Information in this Article

The Proposal for a Directive of the European Parliament and of the Council on payment services in the internal market and amending Directives 2002/65/EC, 2013/36/
and 2009/110/EC and repealing Directive 2007/64/EC (
) broadens the scope of the existing Payments Services Directive and captures a wider range of payment transactions. In line with the policy of the European Commission in recent years,
has a strong consumer protection element, but also seeks to promote innovation in the payments market. Accordingly, a new type of regulated entity is created, a "third party payment service provider" (
), which offers services based on access to payment accounts provided by a payment service provider in the form of payment initiation services and/or account information services. Unfortunately, the responsibility and obligation provisions contained in
, especially relating to liability allocation, do not address the plethora of issues that the changes give rise to; the reality of the heightened risk of fraud in online payments should be addressed urgently and with care.

Jargon buster:

– payment service provider.

– payment service user.

ASPSP – account servicing payment service provider.

– third party payment service provider – also referred to in other documents as TPPSP.